WSL mirrored network Docker container cannot access Windows service

[hzhq1255]

Windows Version

Microsoft Windows [版本 10.0.22631.2861]

WSL Version

2.0.14.0

Are you using WSL 1 or WSL 2?

• WSL 2
• WSL 1

Kernel Version

Linux version 5.15.133.1-microsoft-standard-WSL2

Distro Version

Arch Linux

Other Software

No response

Repro Steps

1.Instead of using docker desktop, I used the docker ce

sudo pacman -Qs docker
local/docker 1:24.0.7-1
    Pack, ship and run any application as a lightweight container
local/docker-buildx 0.12.0-1
    Docker CLI plugin for extended build capabilities with BuildKit
local/docker-compose 2.23.3-1
    Fast, isolated development environments using Docker

sudo systemctl status docker
● docker.service - Docker Application Container Engine
     Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: disabled)
    Drop-In: /etc/systemd/system/docker.service.d
             └─proxy.conf
     Active: active (running) since Sat 2023-12-16 13:46:04 CST; 9min ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
   Main PID: 165 (dockerd)
      Tasks: 21
     Memory: 109.4M ()
        CPU: 662ms
     CGroup: /system.slice/docker.service
             └─165 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

2. windows network inteface info

以太网适配器 vEthernet (static):

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::51c4:d9e0:abc3:cec4%6
   IPv4 地址 . . . . . . . . . . . . : 192.168.10.1
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . :

无线局域网适配器 本地连接* 1:

   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . :

无线局域网适配器 本地连接* 2:

   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . :

无线局域网适配器 WLAN:

   连接特定的 DNS 后缀 . . . . . . . : lan
   本地链接 IPv6 地址. . . . . . . . : fe80::69e5:7c68:6893:d9cd%27
   IPv4 地址 . . . . . . . . . . . . : 192.168.123.68
   子网掩码  . . . . . . . . . . . . : 255.255.255.0
   默认网关. . . . . . . . . . . . . : 192.168.123.1

以太网适配器 vEthernet (Default Switch):

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::39f:faf5:890b:9706%48
   IPv4 地址 . . . . . . . . . . . . : 172.23.64.1
   子网掩码  . . . . . . . . . . . . : 255.255.240.0
   默认网关. . . . . . . . . . . . . :

以太网适配器 vEthernet (WSL (Hyper-V firewall)):

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::1d6b:1d8:63c6:325a%67
   IPv4 地址 . . . . . . . . . . . . : 172.29.96.1
   子网掩码  . . . . . . . . . . . . : 255.255.240.0
   默认网关. . . . . . . . . . . . . :

以太网适配器 vEthernet (BluestacksNxt):

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::b997:930:b729:56ed%71
   IPv4 地址 . . . . . . . . . . . . : 172.23.32.1
   子网掩码  . . . . . . . . . . . . : 255.255.240.0
   默认网关. . . . . . . . . . . . . :

以太网适配器 vEthernet (WSL):

   连接特定的 DNS 后缀 . . . . . . . :
   本地链接 IPv6 地址. . . . . . . . : fe80::6275:cd47:bd0b:d612%77
   IPv4 地址 . . . . . . . . . . . . : 172.26.0.1
   子网掩码  . . . . . . . . . . . . : 255.255.240.0
   默认网关. . . . . . . . . . . . . :

3. wslconfig

[wsl2]
memory=16GB 
swap=8GB
guiApplications=true
networkingMode=mirrored
dnsTunneling=true
firewall=false
autoProxy=true
hostAddressLoopback=true
[experimental]
autoMemoryReclaim=gradual 
sparseVhd=true

4. wsl network mode

wslinfo --networking-mode
mirrored

if network mode is nat, I can use default switch gateway ip to access windows services.

5. I have a proxy service running in windows

➜  netstat -ano | findstr "7890"
  TCP    0.0.0.0:7890           0.0.0.0:0              LISTENING       30596
  TCP    [::]:7890              [::]:0                 LISTENING       30596
  UDP    0.0.0.0:7890           *:*                                    30596
  UDP    [::]:7890              *:*                                    30596

6. When I was running the docker container in wsl, the connection failed when I accessed the 7890 port on the windows 192.168.123.68 or 192.168.10.1 LAN IP

• windows

➜  curl -I -svo /dev/null -x http://192.168.123.68:7890 https://www.google.com
*   Trying 192.168.123.68:7890...
* Connected to 192.168.123.68 (192.168.123.68) port 7890
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/8.4.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
* Closing connection

• docker in wsl

~❯ docker run -it --rm debian:11 curl -I -svo /dev/null -x http://192.168.123.68:7890 https://www.google.com
*   Trying 192.168.10.1:7890...
* connect to 192.168.10.1 port 7890 failed: Connection refused
* Failed to connect to 192.168.10.1 port 7890: Connection refused
* Closing connection 0

7. I've tried turning off the windows and hyper-v firewall but it doesn't work。
   Run container with host network , it can access the windows proxy service.
   I have also tried the nginx service running on windows , the container also cannot access the service.

Is there a solution for containers to access windows services even in bridge mode?

Expected Behavior

~❯ docker run -it --rm debian:11 curl -I -svo /dev/null -x http://192.168.123.68:7890 https://www.google.com
*   Trying 192.168.123.68:7890...
* Connected to 192.168.123.68 (192.168.123.68) port 7890
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/8.4.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
* Closing connection

Actual Behavior

~❯ docker run -it --rm debian:11 curl -I -svo /dev/null -x http://192.168.123.68:7890 https://www.google.com
*   Trying 192.168.10.1:7890...
* connect to 192.168.10.1 port 7890 failed: Connection refused
* Failed to connect to 192.168.10.1 port 7890: Connection refused
* Closing connection 0

Diagnostic Logs

WslLogs-2023-12-16_13-38-31.zip

[github-actions]

Hi I'm an AI powered bot that finds similar issues based off the issue title.

Please view the issues below to see if they solve your problem, and if the issue describes your problem please consider closing this one and thumbs upping the other issue to help us prioritize it. Thank you!

Open similar issues:

• [WSL2] Cannot access windows service running on host from a container using host.docker.internal (#6364), similarity score: 0.87
• WSL2: Access from Windows to container IPs (#5113), similarity score: 0.82

Closed similar issues:

• WSL 2.0.6 mirrored network - can not connect to Docker container ports from Windows host (#10683), similarity score: 0.92
• WSL 2.0: networkingMode=mirrored makes Docker unable to forward ports (#10494), similarity score: 0.85
• [WSL 2] can't access container in WSL from Windows (#4170), similarity score: 0.84

Note: You can give me feedback by thumbs upping or thumbs downing this comment.

[zhangzhao219]

Same problem!

[nzlov]

Same problem!

[nzlov]

Temporary solution:

sudo iptables -t nat -A PREROUTING -p tcp --dport 7891 -j DNAT --to-destination 127.0.0.1:7890

Proxy 7890 to 7891, use ip:7891 within docker.

[zhangzhao219]

Temporary solution:

sudo iptables -t nat -A PREROUTING -p tcp --dport 7891 -j DNAT --to-destination 127.0.0.1:7890

Proxy 7890 to 7891, use ip:7891 within docker.

Can you describe it more specifically?
I try to run your temporary solution in my mirrored WSL 2, and use ip:7891 within docker, but I cannot use proxy in Windows either.

[nzlov]

Temporary solution:

sudo iptables -t nat -A PREROUTING -p tcp --dport 7891 -j DNAT --to-destination 127.0.0.1:7890

Proxy 7890 to 7891, use ip:7891 within docker.

Can you describe it more specifically? I try to run your temporary solution in my mirrored WSL 2, and use ip:7891 within docker, but I cannot use proxy in Windows either.

The ip needs to be replaced with your own windows ip address.

[zhangzhao219]

Temporary solution:

sudo iptables -t nat -A PREROUTING -p tcp --dport 7891 -j DNAT --to-destination 127.0.0.1:7890

Proxy 7890 to 7891, use ip:7891 within docker.

Can you describe it more specifically? I try to run your temporary solution in my mirrored WSL 2, and use ip:7891 within docker, but I cannot use proxy in Windows either.

The ip needs to be replaced with your own windows ip address.

Of course......I try lots of ips, such as 127.0.0.1, 192.168.xxx, 172.xxx, none of them work.

[nzlov]

Temporary solution:

sudo iptables -t nat -A PREROUTING -p tcp --dport 7891 -j DNAT --to-destination 127.0.0.1:7890

Proxy 7890 to 7891, use ip:7891 within docker.

Can you describe it more specifically? I try to run your temporary solution in my mirrored WSL 2, and use ip:7891 within docker, but I cannot use proxy in Windows either.

The ip needs to be replaced with your own windows ip address.

Of course......I try lots of ips, such as 127.0.0.1, 192.168.xxx, 172.xxx, none of them work.🔄  ❓

Check that net.ipv4.ip_forward=1 is set.

sudo sysctl  --system | grep ip_forward

[zhangzhao219]

Temporary solution:

sudo iptables -t nat -A PREROUTING -p tcp --dport 7891 -j DNAT --to-destination 127.0.0.1:7890

Proxy 7890 to 7891, use ip:7891 within docker.

Can you describe it more specifically? I try to run your temporary solution in my mirrored WSL 2, and use ip:7891 within docker, but I cannot use proxy in Windows either.

The ip needs to be replaced with your own windows ip address.

Of course......I try lots of ips, such as 127.0.0.1, 192.168.xxx, 172.xxx, none of them work.🔄  ❓

Check that net.ipv4.ip_forward=1 is set.

sudo sysctl  --system | grep ip_forward

Yes, I ensure that this is set.

[hzhq1255]

Temporary solution:

sudo iptables -t nat -A PREROUTING -p tcp --dport 7891 -j DNAT --to-destination 127.0.0.1:7890

Proxy 7890 to 7891, use ip:7891 within docker.

Can you describe it more specifically? I try to run your temporary solution in my mirrored WSL 2, and use ip:7891 within docker, but I cannot use proxy in Windows either.

The ip needs to be replaced with your own windows ip address.

Of course......I try lots of ips, such as 127.0.0.1, 192.168.xxx, 172.xxx, none of them work.🔄  ❓

Check that net.ipv4.ip_forward=1 is set.

sudo sysctl  --system | grep ip_forward

Yes, I ensure that this is set.

It doesn't work for me either.

iptables

❯ sudo iptables -t nat -L --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
2    DNAT       tcp  --  anywhere             anywhere             tcp dpt:7891 to:192.168.10.1:7890

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  172.17.0.0/16        anywhere

Chain DOCKER (2 references)
num  target     prot opt source               destination
1    RETURN     all  --  anywhere             anywhere

ip_forard

 ❯ sudo sysctl  --system | grep ip_forward
net.ipv4.ip_forward = 1

within docker container

❯ docker run -it --rm mydebian:11 curl -I -svo /dev/null -x http://192.168.10.1:7891 https://www.google.com
*   Trying 192.168.10.1:7891...
* connect to 192.168.10.1 port 7891 failed: Connection refused
* Failed to connect to 192.168.10.1 port 7891: Connection refused
* Closing connection 0

[chanpreetdhanjal]

Hi. Can you please collect networking logs by following the instructions below?
https://github.com/microsoft/WSL/blob/master/CONTRIBUTING.md#collect-wsl-logs-for-networking-issues

[hzhq1255]

Hi. Can you please collect networking logs by following the instructions below? https://github.com/microsoft/WSL/blob/master/CONTRIBUTING.md#collect-wsl-logs-for-networking-issues

WslNetworkingLogs-2024-01-09_09-58-00.zip

[dducm]

Same problem

[c00t]

https://learn.microsoft.com/en-us/windows/wsl/networking#accessing-windows-networking-apps-from-linux-host-ip

[hzhq1255]

https://learn.microsoft.com/en-us/windows/wsl/networking#accessing-windows-networking-apps-from-linux-host-ip

The docs cloud resolve accessing Windows from WSL, but does not resolve accessing Windows from Docker containers within WSL

[c00t]

The docs cloud resolve accessing Windows from WSL, but does not resolve accessing Windows from Docker containers within WSL

There doesn't seem different between docker in wsl and using docker desktop with a wsl backend? I think you need to be sure of a couple things:

1. the command you are using work correctly in wsl (not docker in wsl and without http_proxys env vars)? curl -I -svo /dev/null -x http://192.168.123.68:7890 https://www.google.com

   dnsTunneling=true and autoProxy=true may create a workable illusion

   the question here is how you determine the host ip address in WSL, link above resolves this.

2. If the port can be accessed from WSL, then the docker to proxy port issue is completely unrelated to WSL, may linux firewall issue(banned lan outgoing for dockerd)? you can try if you can access sites that don't require a proxy

3. configure your proxy to accept lan access, if you are using clash etc., you can add firewall rules easily.

4. nslookup work correctly? This should be something that needs to be addressed after port access is resolved.

[nzlov]

@zhangzhao219 @hzhq1255 Check that the docker daemon configuration disables iptables. Maybe another port forwarding program is needed.